Daily Summary
AsyncRAT sample volume rose to 15 new samples today, a 42% increase over the 7-day average of 11. This marks the highest single-day count in the current observation window and signals renewed campaign activity after a relatively steady week. The spike is driven entirely by lightweight script-based loaders, with traditional PE files declining proportionally.
New Samples Detected
Today’s 15 samples show a clear shift in packaging: only 6 (.exe) files were detected, down from a typical 10-12 per day, while VBS scripts surged to 5 and BAT files to 3. One .xls file was also observed, suggesting a possible pivot to macro-laced documents. File naming follows randomized alphanumeric patterns, with no reused signatures across samples.
Distribution Methods
The high VBS and BAT count indicates delivery via phishing emails containing script attachments or embedded downloaders, rather than direct PE drops. The single .xls file suggests an ongoing test of macro-based initial access, though this remains a small fraction of overall activity. No ZIP or ISO containers were observed today.
Detection Rate
Current variants are achieving moderate evasion: preliminary scans show 60-70% detection across major engines, with the VBS and BAT files scoring lower (50-55%) than .exe samples. The .xls sample is likely a stub with minimal macros, designed to bypass signature-based detection on first contact.
C2 Infrastructure
100 new C2 servers were logged today, a 2x increase over the daily average of 45-50. All new IPs are residential proxies or compromised hosts, with no clean geolocation clustering. No new domains were associated with these servers.
7-Day Trend
Activity has accelerated over the past 48 hours after a stable 5-day period averaging 9-10 samples per day. The 42% surge today may indicate a campaign push targeting EMEA business hours.
Security Analysis
The sharp pivot to script-based loaders (VBS and BAT) combined with a single .xls file suggests AsyncRAT operators are testing a multi-stage delivery chain: initial script downloads a secondary payload, likely a .NET loader, from a rotating C2. This mimics tactics used by the “TA577” threat cluster in early 2026, but with AsyncRAT’s signature encrypted communications. Actionable recommendation: block execution of VBS and BAT files from email attachments and monitor for outbound connections to residential proxy IP ranges on ports 443 and 8080.